Apologies if this question is a bit simple. Actually there are 2 questions:

1. If a FB user has granted the email permission to my app, how do I then email them? If I just send an email using the address stored in their user account (NNNNNN@facebook.com) then how will Facebook know it's from an authorized app and not spam? Do I need to include my app_id in the subject or something like that?

2. What happens if I try to send an email to a user who has NOT granted that permission?

Thanks in advance.

Comments

Dave Cohen’s picture

Dave Cohen commented

1. NNNN@facebook should be the user name, not email. See what's in the user table for both name and email.

2. if the $account object comes from a user_load(), $account->email should contain a proxy address (something@facebook.com) But probably facebook will not deliver the email to the actual user. fb_user.module puts it there so drupal modules will not break.

The above answers assume fb_user.module is enabled.

Also check your user table and if necessary change the length of the email column to varchar(255) for no good reason drupal makes the column shorter than many email addresses.

WildBill’s picture

WildBill commented

Hi Dave, thanks for the reply.

So if I have & use the proxy email address, that is the sign to FB that I've been granted the email permission, and that the email should be delivered to the user? If I have that correct, then I should be able to use Rules & Actions to send emails to the user as needed... right?

Dave Cohen’s picture

Dave Cohen commented
Status: Active » Fixed

Yeah. The goal is to populate the user table and $account data so that everything works as Drupal expects it to work.

That said, an email won't always reach its intended destination. And its possible to have accounts without email addresses, there's not much that can be done to prevent that.

Marking as fixed, change that if it's not.

WildBill’s picture

WildBill commented
Status: Fixed » Active

I've added the "email" permission to the initial authorization for my app, and I checked the first couple of users who were created.... and... it's not a proxied email that Drupal is storing, it's just a straight up normal email. That can't be in compliance with Facebook's ToS... not to mention if the user de-authorized the app, Drupal would have no way of knowing that, and would continue to "spam" the user...

Dave Cohen’s picture

Dave Cohen commented

That can't be in compliance with Facebook's ToS

I'm no lawyer, but it can be and is, from all I've read and been told.

if the user de-authorized the app, Drupal would have no way of knowing that

Facebook sends a notification. Drupal for Facebook invokes hook_fb() when that notification is received so that custom modules can act, but the modules do nothing directly in response to that notice.

Whether you get a normal email or proxied depends on what the user chooses when authorizing the app.

Sam Straub’s picture

Sam Straub commented

@Dave Cohen, you said: "That said, an email won't always reach its intended destination. And its possible to have accounts without email addresses, there's not much that can be done to prevent that."

In what circumstance would an email not be created?

Thanks!

Dave Cohen’s picture

Dave Cohen commented

If you don't prompt for the email extended permission, fb_user.module will create an account without email. other modules could do it under other circumstances.

WildBill’s picture

WildBill commented

I was under the impression that apps were forbidden from storing a FB user's information (i.e. email) directly. Isn't that why DFF uses NNNNNNN@facebook instead of the user's actual name? Maybe I'm misunderstanding.

So if I understand you correctly, there is nothing at the moment that would prevent Drupal from sending emails to users who had de-authorized the app. A custom module would need to be written to handle that. Please let me know if I have that wrong.

Dave Cohen’s picture

Dave Cohen commented
Status: Active » Fixed

Facebook changed the policy about a year ago. now you can save some data, like email.

User names are NNNNN@facebook because drupal requires a username to be unique, facebook doesn't.

Sending email from drupal should work whether it is a custom module, contrib module, or action or what have you.

WildBill’s picture

WildBill commented

Okay, thanks. But what I meant was that if the user de-authorized the app, Drupal would have no way of knowing that, and if there was a rule+action set up to email users, it would send the emails anyways (as it stands now). Additional modules and/or code would be needed to NOT email the de-authed users, correct?

I'm just trying to stay squeaky clean with FB and not get reported for spam.

Dave Cohen’s picture

Dave Cohen commented

When a user revokes authorization, facebook does send an event. Right now modules/fb does nothing in response to that event, except to call hook_fb(), so a third-party module can act. Some apps might want to delete an account in such a case, but I don't want to put that code in modules/fb because it seems dangerous. In your case you could do that or unsubscribe the user.

Also the nature of http is such that these events are not truly reliable. Could be a user revokes authorization and the event is never received by your server. So modules/fb is written to not depend on these events.

WildBill’s picture

WildBill commented

Okay, thanks Dave. I wish I knew more PHP so I could write that module. :P

giorgio79’s picture

giorgio79 commented

Having the "revoke authorization" event exposed via hook_action would be the way to go it seems. So users can do whatever they want when it happens.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.